The present invention relates to a communication processing system, a communication processing method, a server, and a computer program. More particularly, the present invention relates to a communication processing system, a communication processing method, a server, and a computer program, which allow a secure communication between communication terminals.
The Internet has become very popular, and it is now used widely. With the increasing popularity of the Internet, communication among desktop personal computers, portable personal computers, or portable telephones, has also become popular. The Internet allows users to communicate by connecting their small-sized devices having a communication/information processing capability to a network, regardless of whether users are in or out of their offices and even regardless of whether they are moving.
In a mobile computing environment, portable terminals called nodes are assumed to move when the nodes receive service via the network which the nodes are connected to. In such a mobile computing environment, it is required that communication is continuous regardless of changes in the location of the nodes.
In the Internet, Internet Protocol (“IP”) is used as a communication protocol. At present, IPv4 is one of the most popular versions of IP. In IPv4, a 32-bit address (IP address) is used to indicate an originating/destination device. In Internet communication, a 32-bit IP address, called a global IP address, is uniquely assigned to each originating/destination device such that each originating/destination device can be identified by an assigned IP address. However, as the Internet world is increasingly expanding, the IPv4 address space is becoming deficient. That is, the available number of global addresses is not large enough to satisfy current demands and/or requirements. To solve this problem, the Internet Engineering Task Force (“IETF”) has proposed a new version of the IP called Internet Protocol version 6 (“IPv6”) to expand the IP address space from 32 bits to 128 bits.
The IETF has also proposed a protocol called Mobile IPv6 for use in the mobile computing environment.
In Mobile IPv6, each node has two IP addresses, that is, a home address and a care-of address. With movement of a mobile node, its care-of address varies depending on which subnetwork the mobile node is currently connected to. The home address is fixed regardless of the movement of the node. Any node can communicate with a mobile node simply by designating the home address of that mobile node, regardless of the current location of the mobile node, that is, regardless of which subnetwork the mobile node is currently connected to.
The communication with a mobile node is enabled via a process performed by a home agent according to Mobile IPv6. The home agent is a node that is connected to a subnetwork corresponding to the home address of a node. When a communication node moves, the home agent receives a binding update packet including a new care-of address from the communication node, and, in response, the home agent updates a binding cache in which the correspondence between the home address (fixed) and the care-of address (varying) is stored. The home agent announces routing information corresponding to a home address of a mobile node via a network.
FIG. 1 shows a procedure of registering a care-of address. If a mobile terminal 301 serving as a mobile node moves, the mobile terminal 301 acquires a care-of address from a subnetwork to which the mobile terminal 301 is switched to. The mobile terminal (mobile node) 301 generates a binding update packet including the home address, the care-of address, and authentication data of the mobile terminal 301 and transmits it to a home agent 302.
FIG. 2 shows a format of an IPv6 header of an IPv6 packet. In the IPv6 header, as shown in FIG. 2, includes O-bit data indicating a protocol version, 8-bit data indicating a traffic class indicating priority, 20-bit data indicating a flow label for discriminating a packet which requests a router serving as a communication relay apparatus to perform a special operation, a sender address indicating the address of a node that transmits the packet, a destination address indicating the address of a node to which the packet is transmitted, and an optional extension header.
FIG. 3 shows a format of an IPv6 address. The higher-order 64 bits of the IPv6 address are used to represent a network prefix, and the lower-order 64 bits are used to represent an interface ID that identifies a network interface of a node on a subnetwork the node is connected to. The interface ID is uniquely determined within the subnetwork. For example, a MAC address may be employed as the interface ID.
FIG. 4 shows a conventional binding update packet, which is a packet including node movement information transmitted from a mobile node to a home agent. In an IPv6 header, the care-of address of the mobile terminal 301 is described in a sender address field, and the address of the home agent is described in a destination address field.
In an extension header, the home address of the mobile terminal 301 and data indicating that the present packet is an update request message are stored in a transmission header. Furthermore, the extension header also includes an authentication header.
FIG. 5 shows a format of the authentication header. The authentication header includes an SPI (Security Parameters Index), a sequence number, and authentication data. As shown in FIG. 6, the home agent 302 detects a security association (SA) on the basis of the destination address and the SPI described in the authentication header and determines a key for use in authentication or an authentication scheme.
If the home agent 302 receives a binding update packet, the home agent 302 determines whether or not authentication data is valid. If the authentication data is determined to be valid, the home agent 302 registers, in a binding cache in the home agent 302, a care-of address included in the received binding update packet. The home agent 302 updates the binding cache in the home agent 302 and transmits a response packet to the mobile terminal 301.
Referring to FIG. 7, a procedure of transmitting a packet from a conventional terminal 303 to a moving mobile terminal 301 is described below. The conventional terminal 303 transmits data indicating the host name of the moving mobile terminal 301 to the domain name server 304 and queries the domain name server 304 for the home address of the moving terminal 301. The domain name server 304, which has data indicating the correspondence between the host name and the home address, as shown in FIG. 8, retrieves the home address of the moving mobile terminal 301 on the basis of the host name and transmits the retrieved home address to the conventional terminal 303. The conventional terminal 303 generates a packet in which the home address of the moving mobile terminal 301 is designated as the destination address, as shown in FIG. 9, and the conventional terminal 303 transmits the generated packet.
The packet transmitted from the conventional terminal 303 is delivered to the home agent 302 in accordance with the network prefix announced by the home agent 302 over the network. Upon receiving the packet transmitted from the conventional terminal 303, the home agent 302 adds an IPv6 header, in which the care-of address of the mobile terminal 301 is designated as the destination address as shown in FIG. 10, to the received packet (thereby encapsulating the received packet with the IPv6 header) and transmits it. This packet is delivered to the mobile terminal 301 in accordance with an ordinary path control scheme. Upon receiving this packet, the mobile terminal 301 removes the IPv6 header added by the home agent 302 from the received packet thereby acquiring the original packet.
The mobile terminal 301 then generates a binding update packet including the authentication header and the care-of address of the mobile terminal 301 and transmits it to the conventional terminal 303 to inform the conventional terminal 303 of the care-of address of the mobile terminal 301. If the conventional terminal 303 receives the binding update packet, the conventional terminal 303 checks the authentication data to determine whether the received data is valid. If the data is determined to be valid, the conventional terminal 303 registers the care-of address of the mobile terminal 301 in the binding cache. After completion of the registration, the conventional terminal 303 transmits an acknowledge packet to the mobile terminal 301.
As shown in FIG. 11, in the packet transmitted from the mobile terminal 301 to the conventional terminal 303, the care-of address of the mobile terminal 301 is described in the sender address field, and the home address of the mobile terminal 301 is described in the destination options header of the extension header. This packet arrives at the conventional terminal 303 via an optimum path.
Upon receiving the binding update packet, the conventional terminal 303 transmits to the mobile terminal 301 a packet including an additional routing header as shown in FIG. 12. This packet arrives at the mobile terminal 301 via an optimum path.
If the mobile terminal 301 moves, the mobile terminal 301 transmits a new care-of address to the conventional terminal 303 and the home agent 302. If the conventional terminal 303 receives the new care-of address, the conventional terminal 303, as with the home agent 302, stores the home address and the care-of address of the mobile terminal 301 into the binding cache. The mobile terminal 301 periodically transmits a binding update packet to the home agent 302 and the conventional terminal 303, and, in response, the conventional terminal 303 updates the binding cache.
The operation performed when the mobile terminal 301 moves is described below with reference to FIG. 13. The mobile terminal 301 acquires a care-of address from the subnetwork to which the mobile terminal 301 has been switched. The mobile terminal 301 generates a binding update packet including the home address of the mobile terminal 301 and other data as shown in FIG. 14 and transmits it to the conventional terminal 303. If the conventional terminal 303 receives the binding update packet, the conventional terminal 303 checks whether the authentication data included in the binding update packet is valid. If it is determined that the authentication data is valid, the conventional terminal 303 registers, in the binding cache, the care-of address of the mobile terminal 301 included in the binding update packet. After completion of the registration, the conventional terminal 303 transmits an acknowledgement packet to the terminal 301.
The mobile terminal 301 generates a binding update packet including the home address of the mobile terminal 301 as shown in FIG. 15 and transmits it to the home agent 302. If the home agent 302 receives the binding update packet, the home agent 302 checks whether the authentication data included in the binding update packet is valid. If the authentication data is determined to be valid, the home agent 302 registers, in the binding cache, the care-of address of the mobile terminal 301 included in the binding update packet. After completion of the registration, the home agent 302 transmits an acknowledge packet to the mobile terminal 301.
The applicant for the present invention has proposed a different method (LIN6) than the Mobile IPv6 described in Japanese Patent Application No. 2000-5560. In one embodiment of a method disclosed in Japanese Patent Application No. 2000-5560, an address of a mapping agent of a mobile node and a node identifier are registered in a domain name server. The mapping agent receives movement information of the mobile node and updates a current locator corresponding to the node identifier of the mobile node. The current locator is a location indicator that is updated in response to movement of the mobile node.
When a terminal wants to start a communication with a mobile node, the terminal queries the domain name server on the basis of the host name of the mobile node. In response, the domain name server informs the terminal of the address of the mapping agent and the node identifier. The terminal then transmits a query on the basis of the node identifier to the mapping agent to acquire a current locator of the node. The terminal then generates an IPv6 address of the mobile node on the basis of the acquired current locator and node identifier of the mobile node and transmits it.
In the method based on Mobile IPv6 and also in the method disclosed in Japanese Patent Application No. 2000-5560, when movement information of a node is transmitted to a home agent or a mapping agent, authentication is performed to check the validity of data.
Furthermore, in a terminal-to-terminal communication in which a destination address is acquired in the above-described manner, data transmitted in the communication often includes secret information such as private information or business/financial transaction information which should be securely concealed. In data communication via the Internet, unlike data communication via a private line, there is a possibility that data is tapped or stolen during communication. To prevent data from being stolen in an open communication network system such as the Internet so as to achieve as high security as that achieved in private communication lines, a Virtual Private Network (“VPN”) technique has been proposed.
A representative example of a communication protocol for the VPN is Security Architecture for Internet Protocol (“Ipsec”). In IPsec, an encryption algorithm and key information to be used are determined between apparatuses or terminals between which communication is performed so that the information is shared between them. More specifically, in order to perform secure end-to-end communication between two communication terminals, it is required that an encryption algorithm and key information must be shared by the two communication terminals.
A example of the process of acquiring shared encryption algorithm and key information is an authentication process using public key cryptography. In the public key cryptography, a reliable third-party institution called a certificate authority (CA) issues a public key certificate including a public key. Communication terminals acquire the public key from the certificate authority. Using the acquired public key and a private key corresponding to the public key, encryption, decryption, and writing/verification of digital signature are performed. However, a problem with this technique is that both terminals have to perform high-complexity calculation, which results in a delay in transmission of information.
Another method of sharing a key is known as the Internet Key Exchange (“IKE”) method, in which encryption and authentication parameters are dynamically generated and exchanged. The Kerberos method is another method of sharing a session key used in encryption of information transmitted between terminals. In the Kerberos method, a key distribution center intervenes between two terminals which are going to start communication with each other, and the key distribution center generates a key in response to a request issued by one of the two terminals and transmits the generated key to the two terminals.
To perform a secure communication with a mobile terminal in accordance with the IPsec protocol, a terminal which wants to start the communication with the mobile node first transmits a query on the basis of a host name of the mobile node to a domain name server. In response, the domain name server transmits data indicating the address of a mapping agent of the mobile node and a node identifier to the terminal. On the basis of the acquired node identifier, the terminal queries the mapping agent for a current locator of the node. The terminal generates an IPv6 address on the basis of the acquired current locator and the node identifier of the mobile node and transmits it. Furthermore, the two terminals determine an encryption algorithm and key information to be used. After completion of the complicated process described above, it becomes possible to start a secure communication between the two terminals.
To perform a secure communication with a mobile terminal via an IP network, as described above, it is needed to first acquire an address of the mobile terminal via a domain name server, a home agent, or a mapping agent, and then share information necessary for the secure communication between a calling terminal and a destination terminal. Thus, a high-complexity process is needed before starting an actual communication between the two terminals.